Kerberos: kadmin.local: nessun file o directory simile durante l'inizializzazione dell'interfaccia kadmin.local (cloudera quickstart) [closed]

1

Sto eseguendo (come sudo) uno script per l'impostazione di Kerberos (che scriverò di seguito) su una macchina CentOS (in un contenitore Docker Quickstart Docker).
La cosa strana è che ho eseguito con successo questo script molte volte su altre macchine.

Purtroppo non funziona e ottengo l'errore sopra citato.

Quindi, in modo più dettagliato, questo è lo script che ho eseguito:

#! /usr/bin/env bash

set -e

function terminate() {
    if [ "${PAUSE}" == 'true' ]; then
        read -p "Press [Enter] to exit..."
    fi
    exit ${1}
}

function ensure_user_is_root() {
    if [[ "$EUID" -ne "0" ]]; then
        echo "You must run this script as root. Try 'sudo ${0} ${@}'."
        terminate 1
    fi
}

function parse_arguments() {
    for argument in ${@}; do
        if [ "${argument}" == '--force' ]; then
            export FORCE='true'
        elif [ "${argument}" == '--pause' ]; then
            export PAUSE='true'
        else
            echo "Unknown option: ${argument}"
            terminate 1
        fi
    done
}

function log() {
    echo "[QuickStart] ${1}"
}

parse_arguments ${@}

KERBEROS_REALM=${KERBEROS_REALM:-CLOUDERA}
KERBEROS_DOMAIN=${KERBEROS_DOMAIN:-cloudera}
KERBEROS_HOSTNAME=${KERBEROS_HOSTNAME:-quickstart.${KERBEROS_DOMAIN}}
KERBEROS_PRINCIPAL=${KERBEROS_PRINCIPAL:-cloudera-scm/admin}
KERBEROS_PASSWORD=${KERBEROS_PASSWORD:-cloudera}
JAVA_HOME=${JAVA_HOME:-/usr/java/jdk1.7.0_*-cloudera}

ensure_user_is_root

# Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
# for JDK/JRE 7 must be installed in order to use 256-bit AES encryption
#if [ ! -e /home/cloudera/Downloads/UnlimitedJCEPolicyJDK7.zip ]; then
#    echo "You must first download the \"Java Cryptography Extension (JCE) Unlimited"
#    echo "Strength Jurisdiction Policy Files for JDK/JRE 7\" to /home/cloudera/Downloads."
#    echo "You can download them here:"
#    echo ""
#    echo "    http://www.oracle.com/technetwork/java/javase/downloads/index.html"
#    echo ""
#    terminate 2
#fi

#log 'Unpacking Unlimited JCE policy files...'
#cd /tmp
#unzip /home/cloudera/Downloads/UnlimitedJCEPolicyJDK7.zip

#log 'Installing Unlimited JCE policy files...'
#mv UnlimitedJCEPolicy/*.jar ${JAVA_HOME}/jre/lib/security/

log 'Installing Kerberos...'
yum install -y krb5-server krb5-workstation openldap
chkconfig krb5kdc on
chkconfig kadmin on

touch /var/lib/cloudera-quickstart/.kerberos

log 'Configuring Kerberos...'

cat > /etc/krb5.conf <<EOF
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ${KERBEROS_REALM}
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 ${KERBEROS_REALM} = {
  kdc = ${KERBEROS_HOSTNAME}
  admin_server = ${KERBEROS_HOSTNAME}
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +renewable
 }

[domain_realm]
 .${KERBEROS_DOMAIN} = ${KERBEROS_REALM}
 ${KERBEROS_DOMAIN} = ${KERBEROS_REALM}
EOF

cat > /var/kerberos/krb5kdc/kdc.conf <<EOF
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 ${KERBEROS_REALM} = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  # Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
  # for JDK/JRE 7 must be installed in order to use 256-bit AES encryption (aes256-cts:normal)
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal max_life = 30d
  max_renewable_life = 30d
 }
EOF

echo "*/admin@${KERBEROS_REALM}  *" > /var/kerberos/krb5kdc/kadm5.acl

log 'Setting root password for Kerberos...'
expect - <<EOF
set timeout 60

spawn kdb5_util create -s
expect "Enter KDC database master key:"
send "${KERBEROS_PASSWORD}\r"
expect "Re-enter KDC database master key to verify:"
send "${KERBEROS_PASSWORD}\r"
expect eof
EOF

log 'Creating Kerberos principal...'
expect - <<EOF
set timeout 60

spawn kadmin.local -q "addprinc ${KERBEROS_PRINCIPAL}"
expect "Enter password for principal \"${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}\":"
send "${KERBEROS_PASSWORD}\r"
expect "Re-enter password for principal \"${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}\":"
send "${KERBEROS_PASSWORD}\r"
expect eof
EOF

log 'Starting Kerberos services...'
service krb5kdc start
service kadmin start

cat <<EOF
________________________________________________________________________________

Success! Kerberos is now running. You can enable Kerberos in a Cloudera Manager
cluster from the drop-down menu for that cluster on the CM home page. It will
ask you to confirm that this script performed the following steps:

    * set up a working KDC.
    * checked that the KDC allows renewable tickets.
    * installed the client libraries.
    * created a proper account for Cloudera Manager.

Then, it will prompt you for the following details (accept defaults if not
specified here):

    KDC Type:                MIT KDC
    KDC Server Host:         ${KERBEROS_HOSTNAME}
    Kerberos Security Realm: ${KERBEROS_REALM}

Later, it will prompt you for KDC account manager credentials:

    Username: ${KERBEROS_PRINCIPAL} (@ ${KERBEROS_REALM})
    Password: ${KERBEROS_PASSWORD}

EOF

terminate

E questo è l'esatto risultato che ricevo:

[root@quickstart /]# sudo ./home/cloudera/kerberos
[QuickStart] Installing Kerberos...
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: ftp.cvut.cz
 * epel: mirror.slu.cz
 * extras: ftp.cvut.cz
 * updates: ftp.cvut.cz
Package krb5-server-1.10.3-65.el6.x86_64 already installed and latest version
Package krb5-workstation-1.10.3-65.el6.x86_64 already installed and latest version
Package openldap-2.4.40-16.el6.x86_64 already installed and latest version
Nothing to do
[QuickStart] Configuring Kerberos...
[QuickStart] Setting root password for Kerberos...
spawn kdb5_util create -s
Loading random data
cloudera
cloudera
[QuickStart] Creating Kerberos principal...
spawn kadmin.local -q addprinc cloudera-scm/admin
Authenticating as principal root/admin@CLOUDERA with password.
kadmin.local: No such file or directory while initializing kadmin.local interface
send: spawn id exp4 not open
    while executing
"send "cloudera\r""

Le linee esatte dello script che falliscono l'esecuzione sono:

log 'Creating Kerberos principal...'
expect - <<EOF
set timeout 60

spawn kadmin.local -q "addprinc ${KERBEROS_PRINCIPAL}"
expect "Enter password for principal \"${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}\":"
send "${KERBEROS_PASSWORD}\r"
expect "Re-enter password for principal \"${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}\":"
send "${KERBEROS_PASSWORD}\r"
expect eof
EOF
    
posta Dorian 21.08.2017 - 19:18
fonte

1 risposta

0

Dopo la stampa dello stato, il primo errore stampato nell'output è:

kadmin.local: No such file or directory while initializing kadmin.local interface

Il formato del messaggio di errore si adatta a uno schema comune visualizzato in molte utilità Kerberos:

"program_name:" "error message" while "task".

Quindi, il messaggio di errore è da kadmin.local che dice "no tale file o directory". Guarda in quello; strace se necessario. Scopri quale file o directory è mancante.

    
risposta data 27.09.2017 - 19:44
fonte

Leggi altre domande sui tag